agenttesla

General

Target

Payment Advice.vbs
Size

52KB
Sample

230212-yenv8sfe3v
MD5

3111ae1b6a9e1c173eaf3a7bda34ca7f
SHA1

c2a6e03871105706b5889bd1078a402efc67a268
SHA256

3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678
SHA512

5533f1ca1c0588d2fee1b9aa0c1977ac539ebe86db30b1d022239fbc3276e9d87a4c79a399ae68e37a039acac95f7a703ff23070596a7643a33c17baeab79af1
SSDEEP

768:r+1VMDvbrLLMAedsaNLQnxeP+Fs4ofdESVBrps/7hk1+N52K:rvLLYAeCaNMxefwDh

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Kvin.snp

Targets

- Target
  
  Payment Advice.vbs
- Size
  
  52KB
- MD5
  
  3111ae1b6a9e1c173eaf3a7bda34ca7f
- SHA1
  
  c2a6e03871105706b5889bd1078a402efc67a268
- SHA256
  
  3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678
- SHA512
  
  5533f1ca1c0588d2fee1b9aa0c1977ac539ebe86db30b1d022239fbc3276e9d87a4c79a399ae68e37a039acac95f7a703ff23070596a7643a33c17baeab79af1
- SSDEEP
  
  768:r+1VMDvbrLLMAedsaNLQnxeP+Fs4ofdESVBrps/7hk1+N52K:rvLLYAeCaNMxefwDh
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2